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Abstract 

Recently there has been a great attention from the scientific 
community towards the use of the model-checking technique 
as a tool for test generation in the simulation field. This paper 
aims to provide a useful mean to get more insights along these 
lines. By applying recent results in the field of graded tempo- 
ral logics, we present a new efficient model-checking algo- 
rithm for Hierarchical Finite State Machines (HSM), a well 
established symbolism long and widely used for representing 
hierarchical models of discrete systems. Performing model- 
checking against specifications expressed using graded tem- 
poral logics has the peculiarity of returning more counterex- 
amples within a unique run. We think that this can greatly 
improve the efficacy of automatically getting test cases. In 
particular we verify two different models of HSM against 
branching time temporal properties. 

1. INTRODUCTION 

The model-checking is a widely used technique to ver- 
ify correctness of hardware and software systems. A model 
checker explores the state space of a model of a given system 
to determine whether a given specification is satisfied. Usu- 
ally such specifications are expressed by means of formulas 
in a temporal logic, such as the Computational Temporal Log- 
ics CTL, |5|. A very useful feature to fix the possible errors 
in the model is that when the model checker detects that the 
specification is violated then it returns a counterexample. In 
the last years this feature has also been exploited in the sim- 
ulation framework. In fact, it is nowadays a well-established 
fact that formal (both software and hardware) analysis is a 
valid complementary technique to simulation and testing (see 
e.g.,|L7J). On one side, the model checking approach, |6], al- 
lows a full verification of system components to be free of 
errors, but its use is limited to small and medium sized mod- 
els, due to the so-called state explosion problem. On the other 
hand the testing and simulation approaches lfT4ll are usually 
applied to larger systems: they check the presence of errors in 
the system behavior through the observation of a chosen set 
of controlled executions. Shortly, the efficacy of testing relies 
on the creation of test benches and that of model-checking on 
the abihty of formally defining the properties to be verified. 



through temporal logic formulas. More explicitly, the com- 
plementarity of the two techniques lies in the fact that the 
counterexamples generated by a model-checker can be inter- 
preted as test cases. A good choice of the test suite is the key 
for successful deductions of faults in simulation processes. It 
is now more than a decade that model-checking is used for 
this purpose, see 1, 10. ,15. |4l El El [HI . In this context, a high 
level abstraction of the System Under Test (SUT), is neces- 
sary. Such abstraction should be simple and easy to model 
check, but precise enough to serve as a basis for the genera- 
tion of test cases. This approach can be usefully adopted also 
in the DEVS modeling and simulation framework, lfT6ll . 

However not surprisingly, the most challenging problem is 
the performance and two issues are crucial: the choice of an 
efficient tool to generate the test suite and the choice of a 
suitable abstract model to check. 

For the first issue, we propose the use of graded tempo- 
ral logic specifications. In fact standard model-checking tools 
generate only one counterexample for each run and the check 
stage (of the model against a specification) is often expensive, 
in terms of time resources. We claim that it is highly desir- 
able to get more meaningful counterexamples with a unique 
run of the model checker. For the second issue we propose 
the use of HSM as an abstract model of a DEVS modeling 
the SUT, which preserves the hierarchical structure while ab- 
stracting the continuous variables. Thus we focus on how to 
generate simulation scenarios for DEVS by providing a tool 
which automatically generates multiple counter-examples in 
an unique run, using hierarchical state machines as abstract 
model. The sequence of events of each counterexample will 
then be used to create a timed test trace for DEVS simula- 
tion. In Figure [T] a small example of our idea is shown (the 
states labeled Tryl and Try2 are states on a higher hierarchy 
level standing for the graph Mi). Suppose we want to check 
whether the (timed) model in the figure satisfies the specifi- 
cation (clearly false) stating that if a Fail occurs in the first 
attempt {Tryl) of sending a message, then an Abort event is 
eventually reached. We can model-check an (untimed) over- 
approximation of the model (shown on the left) obtaining the 
error trace 5f a rf, Tryl. (Send, Wait, Timeout, Fail), Try2.(Send, 
Wait, Ack), Success. This trace lets us concentrate on the por- 
tion of the model with a potential error and can guide the 
simulation process to detect the error in the timed model. Let 
us now briefly detail the two notions of graded logics and 




HSM. In order to get more counterexamples in a unique run 
we use specifications expressed in graded-CTL , recently in- 
troduced in jo) - Graded-CTL strictly extends classical CTL 
with graded modalities: classical CTL can be used for rea- 
soning about the temporal behavior of systems considering 
either all the possible futures or at least one possible future, 
while graded-CTL uses graded extensions on both existential 
and universal quantifiers. With graded-CTL formulas one 
can describe a constant number of future scenarios. For ex- 
ample, one can express that in k different cases it is possible 
that a waiting process never obtains a requested resource, or 
that there are k different ways for a system to reach a safe 
state from a given state. 

The notion of finite state machine with a hierarchical struc- 
ture has been used for many years for modelling discrete 
systems, since the introduction of Statecharts, \\T\, and is 
actually applied into many fields as a specification formal- 
ism. In particular, in the model-checking framework, one of 
the most considered models is the Hierarchical State Ma- 
chine (HSM) (see e.g. [1]). A generalization of HSM is in- 
troduced in lfT3l . as an exponentially more succinct model 
where also higher level states, called boxes, are labeled with 
atomic propositions. The intended meaning of such labeling 
is that when a box b expands to a machine M, all the ver- 
tices of M inherit the atomic propositions of b {scope), such 
that different vertices expanding to M can place M into dif- 
ferent scopes. Such model is called a hierarchical state ma- 
chine with scope-dependent properties (Scope-dependent Hi- 
erarchical State Machine, shortly SHSM). 

Our contribution aims in providing also strong theoreti- 
cal evidence of the soundness of our approach. In particular 
we study the problem of verifying whether an SHSM mod- 
els a given graded-CTL formula. We first give an algorithm 
to solve the graded-CTL model-checking of an HSM, and 
then we extend it to model-check general SHSMs. We show 
that the problem has the same computational complexity as 
CTL model checking, and we show how to solve it both for 
HSM and SHSM, with an extra factor in the exponent which 



is logarithmic in the maximal grading constant occurring in 
the CTL formula. Let us stress that the experimental results 
for flat models reported in IS) shows that this extra factor does 
not have real effects in the running time of the algorithms 
(currently we are implementing also the algorithms presented 
here for hierarchical structures and the initial tests are very 
promising). 

The rest of the paper is organized as follows: in Sections |21 
and[3]]we give basic definitions and known results of graded- 
CTL, and of SHSM, respectively; in Section |4j] we give the 
algorithm to model-check SHSM against graded-CTL speci- 
fications. In SectionlSlwe give our conclusions. 

2. GRADED CTL 

In this section we first recall the definitions of CTL and 
then give that of graded-CTL , see ||9l. The temporal logic 
CTL fsl is a branching-time logic in which each temporal 
operator, expressing properties about a possible future, has to 
be preceded either by an existential or by an universal path 
quantifier So, in CTL one can express properties that have to 
be true either immediately after now (X), or each time from 
now (g), OT from now until something happens (U), and it 
is possible to specify that each property must hold either in 
some possible futures (E) or in each possible future (A). For- 
mally, given a finite set of atomic propositions AP, CTL is 
the set of formulas (p defined as follows: 

(?:=p\ I Ai|/2 I Ex\\ii I Eg\\fi I E-^iV-^i 

where p e AP is an atomic proposition and \\t\ and \|/2 are 
CTL formulas. The semantics of a CTL formula is defined 
with respect to a Kripke Structure by means of the classical 
relation |=. As usual, a Kripke structure over a set of atomic 
propositions AP, is a tuple ~ {S,Si„,R,L), where 5 is a 
finite set of states, ij„ G 5 is the initial state, R C S x S is a 
transition relation with the property that for each s G S there 
is f e 5 such that {s,t) G R, and L : S ^ 2^'' is a labeHng 
function. A path in is denoted by the sequence of states 



71 = {sQ,si, . . .Sn) or by 7t = {sq,si,...), if it is infinite. The 
length of a path, denoted by |7t|, is the number of states in the 
sequence, and K[i] denotes the i-th state 5,. Then, the relation 
^ for a state s ^ S of J<C is iteratively defined as follows: 

• {^,s) ^peAP iff pe Lis); 

• {J<c,s) h iff -((?C,i) h Vi) (in short, (9C,i) ^ 
¥1); 

• h¥i Ax|/2iff (3C,>?) h¥i and(3C,i) h¥2; 

• , 5) ^ £'X¥i iff there exists s' such that (5,5') e R 
and (3C ^ ¥1 (the path (s,s') is called an evidence of 
the formula X¥i); 

• ( ac , H ^ ¥1 iff there exists an infinite path k starting 
from s (i.e., 7t[0] = s) such that for all j > 0, (ac,7t[/]) |= 
¥1 (the path K is called an evidence of the formula g 

• ^ £'\(/iW¥2 iff there exists a finite path % with 
length |7t| = r+l starting from s such that {lQ,K[r]) |= 
¥2 and, for all < j < r, {!lC,K[j]) |= ¥1 (the path n is 
called an evidence of the formula 'U¥2); 

We say that a Kripke structure 3(; = {S,Si„,R,L) models a 
CTL formula (p iff {Ki,Si„) ^ (p. Note that we have expressed 
the syntax of CTL with one of the possible minimal sets of 
operators. Other temporal operators as well as the universal 
path quantifier A, can be easily derived from those. Graded- 
CTL extends the classical CTL by adding graded modali- 
ties on the quantifier operators. Graded modalities specify in 
how many possible futures a given path property has to hold, 
and thus generalize CTL allowing to reason about more than 
a given number of possible distinct future behaviors. Let us 
first define the notion of distinct. Let !fC — {S,Si„,R,L) be a 
Kripke structure. We say that two paths 711 and 712 on 1Q are 
distinct if there exists an index < / < min{|7ii|, |7i2|} such 
that Ki [i] 7^ K2[i]- Observe that from this definition if a path 
is the prefix of another path, then they are not distinct. The 
graded existential path quantifier E^^, requires the existence 
of k+\ pairwise distinct evidences of a path-formula. Given 
a set of atomic proposition AP, the syntax of graded-CTL is 
defined as follows: 

v?:=p\ -¥i l¥iA¥2 \ E>''xwfi | £>*^^¥i |£>Vi«¥2 

where p e AP, ^ is a non-negative integer and and \(/2 are 
graded-CTL formulas. The semantics of graded-CTL is still 
defined with respect to a Kripke structure !fC = {S, Si„ ,R,L) on 
the set of atomic propositions AP. In particular, for formulas 
of the form p, and \\ti A ¥2 the semantics is the same as in 
the classical CTL . For the remaining formulas, the semantics 
is defined as follows: 



• (ac,^) h E>''Q, with A: > and either 9 = x\\ii or 9 = 

¥1 or 9 = ¥1 ¥2. iff there exist k+l pairwise distinct 
evidences of 9 starting from s. 

It is easy to observe that classical CTL is a proper fragment 
of graded-CTL since the simple graded formula /s^'xp can- 
not be expressed in CTL , whereas any CTL formula is also 
a graded-CTL formula (note that £'^'^9 is equivalent to £9). 
We can also consider the graded extension of the universal 
quantifier, A-*^, with the meaning that all the paths starting 
from a node s, but at most k pairwise distinct paths, are evi- 
dences of a given path-formula. The quantifier A-*^ is the dual 
operator of E^'^ and can obviously be re-written in terms of 
-i£'>'^. However, while A-'^X¥i and A-'^g'^i can be easily 
re-written respectively as -^E^'^X^^i and ^E^^f -i¥i, the 
transformation of the formula A -'^Vj/i it i|/2 with A: > in terms 
of ^E^^ deserves more care (see [9J for a detailed treatment). 

The graded-CTL model-checking is the problem of ver- 
ifying whether a Kripke structure Ki models a graded- 
CTL formula (p. The complexity of the graded-CTL model- 
checking problem is linear with respect to the size of the 
Kripke structure and to the size of the formula, (this latter 
being the number of the temporal and the boolean operators 
occurring in it). Let us remark that this complexity is inde- 
pendent from the integers k occurring in the formula. 

3. SCOPE-DEPENDENT HIERARCHICAL 
STATE MACHINES 

In this section we formally define the Scope-dependent Hi- 
erarchical State Machines and recall some known results. The 
Scope-dependent Hierarchical State Machines are defined as 
follows. 

Definition 1. A Scope-dependent Hierarchical State Machine 
(SHSM) overAP is a tuple M = (Mi ,M2, . . . ,M/,), each M, = 
(V/,/n,-, OUT/, TRUE/, expn,,/:,) is cfl//ec/ machine and consists 
of- 

• a finite set of vertices V/, an initial vertex int G V/ and a 
set 0/ output vertices OUT/ C V,-; 

• a labeling function TRUE/ : V/ — > 2^^ that maps each 
vertex with a set of atomic propositions; 

• an expansion mapping expn, : V/ — > {0, 1, . . . ,/;} such 
that expnj(u) < i, for each u G V/, and expni{u) — 0, for 
each u G {/«/} U OUT/; 

• a set of edges Ei where each edge is either a cou- 
ple (m,v), with M,v G V/ and expn^{u) = 0, or a triple 
((m,z),v) with u,v G Vi, expnj{u) = j,j > 0, and z G 
OUT,-. 

In the rest of the paper we use h as the number of ma- 
chines of an SHSM M and M/, is called top-level machine. 
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Figure 2. A simple SHSM . 



We assume that the sets of vertices V,- are pairwise disjoint. 
The set of all vertices oi M is V = U?=i^!- The mappings 
expn : y — > {0, 1, . . . and TRUE : y — )• 2-*^ extend the 
mappings expn^ and TRUE,, respectively. If expn(u) = j > 0, 
the vertex u expands to the machine Mj and is called box. 
When expn{u) = 0, m is called a node. Let us define the clo- 
sure expn^ : V — > 2^^'^ as: h € expn^{u) if either h — 

expn{u) or there exists u' £ yejcp„(a) such that h G expn^(u'). 
We say that a vertex u is an ancestor of v and v is a descendant 
from M if v e y/,, for h e expn^{u). 

A vertex v G y,- is called a successor of m e y, if there is 
an edge (m, v) e and it is called a z-successor of m, for 
z G ouTg,^p„(„), if ((m,z), v) e 

An HSM is an SHSM such that TRVE{b) = 0, for any box 

b. 

As an example of an SHSM fTVf see Figure |2l where 
Pi,P2,P3 are atomic propositions labeling nodes and boxes 
of CM , ini and z, are respectively entry nodes and exit nodes 
for i— 1,2,3, and expn{b'j) = 7 — 1 for / = 0, 1 and j — 2,3. 

Semantics. The semantics of an SHSM CM is given by a 
flat Kripke structure, denoted CM ^ . 

A sequence of vertices a = ui ...Mm, 1 < is called a 
well-formed sequence if M£+i G yexpn{uf)^ for ^ = 1 , . . . , m — 1 . 
Moreover, a is also complete when u\ G y, and m,„ is a node. 

A state of \s (a) where a is a complete well-formed 
sequence of CM . Note that the length of a complete well- 
formed sequence is at most h, therefore the number of states 
of CM^ is at most exponential in the number of machines 
composing CM . Transitions of CM^ are obtained by using 
as templates the edges of CM . Figure [3] shows the fCripke 
structure which is equivalent to the SHSM of Figure |2] We 
formally define 5Vf^ as follows. Given an SHSM CM = 
(Ml ,M2, . . . ,M/,), it is immediate to observe that the tuple 
CMj = (Mi,M2,...,M,), !<./■< h, is an SHSM as well. 
Clearly, CMi, = CM .In the following, we sketch how to com- 
pute recursively the flat Kripke structures 'M-'. 



We start with CM[ which is obtained from machine Mi by 
simply replacing each vertex u with a state (m) labeled with 
TRUE((m}) = TRUE(m) (recall that by definition all vertices 
of CM\ are nodes). Thus, for each edge (v, w) G E\ we add a 
transition ((v), (w)) in CM[ . 

For /■ > 1, CMj' is obtained from Mj by simply replacing 
each box u of Mj with a copy of the Kripke structure 5W^g^p„(„) ■ 
More precisely, for each node u G Vj, {u) is a state of CMj' 
which is labeled with TRUE(m) and for each box u G Vj and 
state (a) of CM ^ , (Ma) is a state of CMf and is labeled 

\ ' expn[uy ^ I J 

withTRUE(M)UTRUE((a)).ThetransitionsofiW^ , >areaU 

^ ' V \ / / expn[u) 

inherited in CMj', that is, there is a transition {{ua), (mP)) in 
cMjf for each transition ((a), (P)) of cMf^^^^^^^y The remaining 
transitions of cMjf correspond to the edges of Mj: 

• for each node v G Vj and edge (m,v) G Ej (resp. 
{{u,z),v) G Ej) there is a transition from (m) (resp. (uz)) 
to (y); 

• for each box v G Vj and edge {u,v) G Ej (resp. 
{{u,z),v) G Ej) there is a transition from (m) (resp. (mz)) 
to (v/n„p„(„)). 

A box M expanding into Mj is a placeholder for cmJ' and 
determines a subgraph in CM ^ isomorphic to cMjf . This is em- 
phasized in Figure[3] where we have enclosed in shades of the 
same shape and color the isomorphic subgraphs correspond- 
ing to a same graph cMJ' . Therefore, Figure [3] also illustrates 
the recursive definition of M^ . 

If two distinct boxes mi and M2 both expand into the 
same machine Mj, that is expn{u\) = expn{u2) = h, then the 
states of CMj' appear in 5Vf ^ in two different scopes, possi- 
bly labeled with different sets of atomic propositions: in one 
scope this set contains TRUE (mi) and in the other it contains 
TRUE(m2). The atomic propositions labeling boxes represent 
scope-properties. In fact, for a given box m, the set TRUE(m) 




Figure 3. The Kripke structure obtained by flattening the SHSM £Vf of Figure |2] 



of atomic propositions is meant to hold true at u and at all its 
possible descendants. 

Succinctness. Clearly, any hierarchical structure, either an 
HSM or an SHSM, is in general more succinct than a tradi- 
tional Kripke structure. Scope properties make SHSM pos- 
sibly even more succinct than HSM. In fact, two isomor- 
phic subgraphs of a Kripke structure which differ only on 
the labeling of the vertices can be represented in an SHSM 
by the single machine Mj, while it should be represented 
by two different machines in an HSM. Let us recall two 
main results from |13| on the succinctness of these models, 
where a restricted SHSM is an SHSM where for all ver- 
tices M, V such that u is an ancestor of v in iJVf it holds that 

TRUE(m) nTRUE(v) = 0. 

Theorem 1 ([13|). Restricted SHSMs can be exponentially 
more succinct than HSMs and finite state machines. 

There is an exponential gap also between restricted SHSMs 
and SHSMs as shown in the following proposition. 

Theorem 2 (113). SHSMs can be exponentially more suc- 
cinct than restricted SHSMs. 

Observe that HSMs, restricted SHSMs and SHSMs can all 
be translated to equivalent finite state machines with a sin- 
gle exponential blow-up. Thus, the two succinctness results 
do not add up to each other, in the sense that it is not true 
that SHSMs can be double exponentially more succinct than 
HSMs. 

4. MODEL CHECKING PROBLEM 

The CTL model-checking is the problem of verifying 
whether a Kripke structure 5(; models a CTL formula. For an 
SHSM M , the CTL model-checking is the problem of ver- 
ifying whether the flat structure 9d ^ models a CTL formula. 
It is known that the CTL model-checking problem can be 



solved in linear time in the size of both the formula and the 
machine, see f5l, while it is exponential for both HSM and 
SHSM. More precisely, the following theorem holds. 

Theorem 3 (ifTl. lfTSl ). The CTL model-checking of an 
SHSM 9v[ for a formula (p can be solved in 0{\M\2\'^\-''+\^^^\) 
time, where d is the maximum number of exit nodes of fM and 
APif is the set of atomic proposition occurring in (p. Moreover, 
if M is an HSM, then it can be solved in 0{\fM \ ■ 21^1'^) time. 

In this section we extend the result to model-checking a 
hierarchical structure against a graded-CTL formula. We first 
show an algorithm for graded-CTL model-checking of an 
HSM, and then we extend it to model-check SHSMs. 

The aim of the algorithm is to determine, for each node 
M in a machine Mj of M and each subformula x|/ of (p, 
whether u satisfies \|/ or not. Anyway, the concept of satis- 
fiability may be ambiguous, since whether u satisfies i|/ or 
not may depend on the possible different sequences of boxes 
which expand in Mj. Thus, the algorithm transforms M in 
such a way that either for every box sequence bi,...,bm 
it holds that {M^ ,{bi...b,nu)) \= \|/ (and in this case we 
say that u satisfies \(/), or for every ,/?„, it holds that 

{!M ^ ,{bi . . .b„,u)) 1= This transformation determines 
multiple copies of each Mj, for j < h (clearly, since there are 
no nodes expanding in the top-level machine M/,, there is not 
such ambiguity for a m G Mi,). 

The algorithm considers the subformulas i|/ of (p, starting 
from the innermost subformulas, and, for each node m in rW^ 
sets M.\|/ = TRUE if u satisfies \|/, modifying possibly the hier- 
archical structure. If \\t is an atomic proposition or it is either 
-10 or 01 A 02, the algorithm is trivial. For subformulas with 
temporal operators and grade 0, then the algorithm behaves 
exactly as in [ 1 1 for the CTL model-checking. We now show 
how it behaves for subformulas of the form \|/ — E^'^Q, with 
k>0 and 0e{j(:0i,t^0i,0i«02}.By inductive hypothesis, 
we assume that the algorithm has already set m.0, = TRUE if 



u satisfies 9,, for i~ 1,2. 

The algorithm for \(/ = E^'^xQi is rather simple. It starts 
from the nodes of M\ setting m.\(/ — TRUE if u satisfies \(/, 
and then inductively considers all the machines. Let m be a 
node of Mj. If m ^ OUTj, then it satisfies \\t if there are at least 
k+1 successors in Mj satisfying 9i. For an output node z E 
OUTj, whether z satisfies \\t depends also on the successors 
of a box expanding in Mj. Multiple copies of Mj are then 
created, denoted M|, where g : OUTj — >{0,...,fc+l}, which 
correspond to the different contexts in which Mj occurs. The 
nodes of M'f are u^, for a node u of M,, and the boxes are 
for a box b of Mj. The idea is that g{z) is the number of 
z-successors, satisfying 9i, of a box expanding in Mj (recall 
that the edges outgoing from a box b are of the type {{b, z).y), 
and we call such v a z-successor of b). Thus, the algorithm sets 
= TRUE if the sum of g{z) and the number of successors 
in Mj satisfying 9i, is greater than k. Moreover, for each box 
b, the algorithm calculates the number of z-successors of b 
satisfying 9i. The new HSM is then obtained by defining the 
new expansion of b in Mj-. b expands in the copy M^^^^^^^^j 
of Mf,y,„(^i,^ such that g{z) is the number of z-successors of b 
satisfying 9i. 

Consider now formulas of the type \\i = E^'^ gQi and let us 
call V =£'>''^9i. 

The algorithm first determines which nodes of the HSM 
fW satisfy the CTL formula . At the end of this step 
is modified in such a way that each node u either satisfies 
\|f ^ or satisfies . In doing that, the size of 51^ may double 
(cf. fT\). Call S the set of the nodes satisfying \(/' . 

The algorithm determines, for each node u E S, whether 
u satisfies \|/ using the following idea. Let a sink-cycle be a 
cycle containing only nodes with out-degree 1 . 
Claim 1. Consider the graph induced by the states of !M ^ 
where holds. Then, given a state s, ,s) ^ x|/ iff in 
this graph either there is a non-sink-cycle reachable from s, 
or there are A; + 1 pairwise distinct finite paths connecting s to 
sink-cycles. 

The algorithm checks the property of the claim analyzing 
all the machines Mj of M starting from the bottom-level ma- 
chine Ml, which contains no boxes. For each machine Mj, it 
performs a preliminary step to determine the set of non-sink- 
cycles NSCj C 5 of nodes u G Vj such that a non sink-cycle is 
reachable in Mj' from (m), through nodes of S. 

Then, in a successive step, the algorithm detects the other 
nodes satisfying In particular for any detected node u £ 
Vj and for any sequence a of boxes (below we show how to 
remove this dependency from a) the following situation can 
occur: 

• there is a non-sink cycle reachable in from a state 
(aw) including only nodes in S; 



nodes belonging to S, and ending into sink-cycles. 

Observe that, if the non-sink cycle is in , but it is not 
in fMj', then u ^ NSCj and thus the former case has not been 
detected by the algorithm in the previous preliminary step. 

In order to get that the above properties do not depend on 
the choice of a, also in this case multiple copies of each Mj 
are created, each for a different context in which Mj occurs. 
Each copy is denoted M| where g : OU r,- {0, . . . , ^ + 1 } is 

a mapping such that if z does not satisfies \|/' then g(z) = 0. Its 
nodes and boxes are obtained by renaming nodes and boxes 
of Mj, as in the previous case. 

Let us now give some details on how the above steps are 
realized. 

The set NSCj, for j E {1, . . . ,h}, is computed by visiting 
a graph M'j, with the nodes in Vj DS. If j ^ I, then M'j con- 
tains also the boxes b of Mj, such that /n(,:cp„(/,) S S, and new 
vertices {b,z), for z 6 OUTg^p„(^i,) r\S (recall that there are no 
boxes in Mi). The edges of Mj connecting the boxes and the 
nodes above are edges also of this graph, moreover, there 
is an edge from b to {b^z) if there is a path from ingy.p„i^y^ 
to z in Mgy.p„(^i,Y constituted of all vertices not belonging to 

NSCexpn(h)- 

The algorithm proceeds inductively, starting from Mi. 
When Mj is considered, for j > 1, we assume that the sets 
NSCji have already been determined, for all / < j, and that, 
for each z G OUTy, it has also been checked whether there is 
a path from /ny to z , constituted of all vertices not belonging 
to NSCji (observe that this property is used to define the edges 
in M'j). Moreover, we assume that, if there is such a path, it 
has also been checked whether there are vertices in the path 
with out-degree greater than 1 and whether z has an out-going 
edge within M'j,. The result of this test is useful to detect the 
non-sink cycles and thus to determine the set NSCj. In fact, if 
either a node z G OUTg^p„(^i,-j has an out-going edge or there is 
a vertex with out-degree at least 2 in the path from /ne^p„(i) to 
z, then a cycle going through {b,z) in M'j determines a non- 
sink cycle on the corresponding flat machine. 

Once the set NSCj has been computed, the algorithm sets 
u.\\t = TRUE for all u G NSCj and then it performs the suc- 
cessive step considering only the remaining nodes. 

For each j and each mapping g : OU Tj {0, . . . , ^ + 1 }, 
a dag is constructed with the nodes u EVjDS such that 
M ^ NSCj, the boxes b and the new vertices {b,z), for z G 
OUTgy,„(^t,-j, such that both ;ne;t;wi(i) ™d z satisfy and do 
not belong to NSC„p„(^i,^, and with the exception that the sink 
cycles are substituted by a single vertex. The edges in are 
those of Mj. 

The algorithm labels the vertices of Gj, starting from the 
leaves, as follows. 



• ^ + 1 paths start in fM^ from (aw), each going through 



• z G OUTj is labeled by g{z). 



• if X in is not a box and lias successors xi , . . . la- 
beled by h,... Is, then x is labeled by I = max{li H h 

ls,k+l}; 

• for a box b, such that expn{b) = /, let be the mapping 
such that =rif {b,z) is labeled by r, for z e Of/ T,/. 

If iriji has been labeled by i in the dag G% then b is la- 

beled / as well (observe that the labeling of iUji in G% 
has already been determined, since / < f). 

As said above, new machines My have been constructed 
as copies of Mj, by renaming its nodes and boxes. Now, for 
each u G Vj, the algorithm sets M^.\|f = TRUE if u is labeled 
by/t+l inG^. 

Finally, the expansion mapping for M| is defined as fol- 
lows: if expnj{b) = f then b^ now expands into M^,, where 
g' is such that g'{z) = r for z G OUTji which has been labeled 
by r in G*, . 

Finally, for the case of a subformula \(/ = £'^'^0i 'U62, for 
A: > 0, the algorithm behaves in a similar way. It first deter- 
mines the nodes of !M which satisfy E-^^SiWSi and then it 
determines, for each node u E S, whether u satisfies \|/, with 
an approach suggested by the following claim. 
Claim 2. Consider the graph induced by the states of 5lf ^ 
where £'^''0i'U02 holds, and by deleting the edges outgoing 
from states where 0i does not hold. Then, given a state s, 
{M^ ,s) 1= \|f iff in this graph either there is a non-sink-cycle 
reachable from s, or there are k+\ pairwise distinct finite 
paths connecting s to states where 02 holds. 

Thus, the main difference with respect to the steps de- 
scribed above, is in the definition of the graphs M'- and Gy 
since they now do not have edges outgoing from states where 
61 does not hold, in accordance to the Claim 2. We will omit 
further details. 

Now we can state the first main result, where |(p| is the 
number of the boolean and temporal operators in 9, d is the 
maximum number of exit nodes of 'M and — 2 is the maxi- 
mal constant occurring in a graded modalities of (p. 

Theorem 4. The graded-CTh model-checking of an HSM 
M can be solved inO{\M\- 2lf 

Proof. The algorithm sketched above considers the subfor- 
mulas i(/ of (p, and, for each node urn , sets m.\|/ = TRUE 
if u satisfies For \(/ = £'>*0, with k>Q, and = X0i, the 
correctness of the algorithm is rather immediate, while if ei- 
ther = 01 or = 01 W 02, the correctness of the algorithm 
mainly relies on the given claims. For sake of brevity, we omit 
here the proof of the claims. 

The crucial point is to prove that the algorithm detects 
all the nodes m in a machine Mj such that a non-sink cy- 
cle is reached from [bi . ..bmu) along a path including only 



nodes satisfying £^ 0. Let m be a node in Mj. If there is 
a non-sink cycle reachable from (m) in ^f, including only 
nodes in the set S of nodes satisfying £^^0, then u G NSCj 
and the algorithm sets m.\|/ = TRUE. Now suppose that there 
are boxes bi,...bm and that a non-sink cycle is reachable 
from {bi,...bmu) in fAfJ (again including only nodes in 
S) and suppose also that no non-sink cycles are reachable 
from (br, ■ ..bmu), for r > 1. This implies that there is zi G 
OUTg^pn^in), and a non-sink cycle reachable from (^izi) in 
, and there are zi , . . . , such that, for j = 1 , . . . , m, 

• Zi G OUTexpn{b{) 

• (zm) is reachable from (u), in 5W^^, 

• (zi) is reachable from (bi+uZi+i), in ^f^p„(i,.^^) 

In this case the algorithm sets G NSCji. Moreover, 

in the new HSM each bj will expand in a copy M^J^^^^p.) of 
^expn(bi) ' where gi is such that gi (z,- ) = A: -|- 1 . And thus, called 
the copy of u in in M?, the algorithm sets m^.\|/ = TRUE 
Similarly, the algorithm detects all the nodes u in Mj such 
that k-\-\ paths start from {bi... bmu) ending in sink cy- 
cles including only nodes in S. To state the complexity of 
the algorithm, observe that, while processing a subformula 
\|f = £'>*e, with A; > and 6 G { ^ 01 , 01 « 62}, the algorithm 
creates several copies of each machine Mj, denoted My where 
g : OUTj {0,...,k-\-l}. Thus the size of the current HSM 
grows for a factor not exceeding fc^, where d is the maximum 
number of exit nodes of 9lf and k — 2 is the maximal con- 
stant occurring in a graded modalities of 9. Since, for each 
operator in 9, the time spent by the algorithm is linear in 
the size of the current HSM, than the overall running time 
is 0(|5W I • A'fl"') = 0{\fM 1 □ 

Let us remark that, although the multiple copies created by 
the given algorithm can be seen as a step towards the flat- 
tening of the input HSM, the resulting structure is in general 
much smaller than the corresponding flat Kripke structure. To 
solve the graded-CTL model-checking for SHSM we show 
now how to reduce it to the model-checking problem for 
HSM. Let fM^ = (Ml ,M2, . . . ,M/,) be an SHSM and let 9 be a 
graded-CTL formula. Let AP,f be the set of atomic proposi- 
tions that occur in 9. The first step of our algorithm consists of 
constructing an HSM fW^q, such that is isomorphic to!M^ . 

Let index ■.{!,..., h}x 2^''f -)■ { 1 , . . . , /j2I'^^'pI } be a bijection 
such that index{i,P) < index{j,P') whenever i < j. Clearly, 
index maps {i,P) into a strictly increasing sequence of con- 
secutive positive integers starting from 1. For a machine 

Mi = {Vi,ini,OTJTi,TRVEi,expni,Ei), 1 <i<k andP C AP(p, 
define Mf as the machine ( V^^ , inf , ouxf , TRUsf , expnf , Ef ) 
where: 

• Vf = {u^ I u G V;}, and OUlf = {m^ | m G OUT,}; 



• TRUEf (m^) = TRUE, (m) if m is a node and TRUEf (m^) = 
0, otherwise; 

• expnf{u) = if M is a node and expnf{u) = 
index{expni{u),PUTKUEi{u)), otherwise; 

• Ef = {{ufy)\{u,v) G E,} U 

{((m^,z^utrue,(„))^^,p) I ((u,z),v)eE,}. 

Let h' — /i2l'*'*L We define 5W(p be the tuple of machines 
(Mj,...,M^,) such that for ; = l,...,h', M'j = M[ where 
j = index{i,P). From the definition of Mf it is simple to ver- 
ify that 5Vf(p is an HSM and \!M^\ is 0{\!M {l^'^^f^). Moreover, 
JW^ and M ^ coincide, up to a renaming of the states. Thus, 
from TheoremlH we have the following second main result. 

Theorem 5. The graded CTL model checking of an SHSM 
can be solved in 0{\'M\ 2l'Pl '^ '''j;^+l'*^<pl) time. 

5. CONCLUSIONS 

In this paper we have proposed the use of graded-CTL 
specifications to model-check hierarchical state machines. 
We think that the added power in the specification formal- 
ism can be fruitfully exploited in the simulation and test- 
ing community to get more meaningful test benches to per- 
form simulation of more and more complex systems. We 
have given algorithms for checking classical HSMs and so- 
called SHSMs. Let us observe that the alternative approach 
of model-checking the fully expanded flat structure has in 
general a worse performance because of the exponential gap 
between an HSM and its corresponding flat structure. In fact 
the gain in size of the hierarchical model, is in practice much 
greater than the extra exponential factor paid, which depends 
on the size of (the formula for) the specification, usually quite 
small. One last consideration is that we have considered only 
sequential hierarchical finite state machines (as an abstrac- 
tion of the DEVS model). It is a standard approach, when 
model checking concurrent systems, to first sequentialize the 
model of the SUT (possibly on-the-fly) and then check it with 
model checking algorithms for sequential models. Moreover, 
the cost of considering parallel and communicating machines 
would lead to a double exponential blow-up, the so-called 
state explosion problem. 
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